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A Description of the ARIA Encryption Algorithm 
Abstract 


This document describes the ARIA encryption algorithm. ARIA is a 
128-bit block cipher with 128-, 192-, and 256-bit keys. The 
algorithm consists of a key scheduling part and data randomizing 
part. 


Status of This Memo 


This document is not an Internet Standards Track specification; it is 
published for informational purposes. 


This is a contribution to the RFC Series, independently of any other 
RFC stream. The RFC Editor has chosen to publish this document at 
its discretion and makes no statement about its value for 
implementation or deployment. Documents approved for publication by 
the RFC Editor are not a candidate for any level of Internet 
Standard; see Section 2 of RFC 5741. 


Information about the current status of this document, any errata, 
and how to provide feedback on it may be obtained at 
http://www.rfc-editor.org/info/rfc5794. 


Copyright Notice 


Copyright (c) 2010 IETF Trust and the persons identified as the 
document authors. All rights reserved. 


This document is subject to BCP 78 and the IETF Trust’s Legal 
Provisions Relating to IETF Documents 
(http://trustee.ietf.org/license-info) in effect on the date of 
publication of this document. Please review these documents 
carefully, as they describe your rights and restrictions with respect 
to this document. 


Lee, et al. Informational [Page 1] 


RFC 5794 The ARIA Encryption Algorithm March 2010 


1. Introduction 
1.1. ARIA Overview 


ARIA is a general-purpose block cipher algorithm developed by Korean 
cryptographers in 2003. It is an iterated block cipher with 128-, 
192-, and 256-bit keys and encrypts 128-bit blocks in 12, 14, and 16 
rounds, depending on the key size. It is secure and suitable for 
most software and hardware implementations on 32-bit and 8-bit 
processors. It was established as a Korean standard block cipher 
algorithm in 2004 [ARIAKS] and has been widely used in Korea, 
especially for government-to-public services. It was included in 
PKCS #11 in 2007 [ARIAPKCS]. 


2. Algorithm Description 


The algorithm consists of a key scheduling part and data randomizing 
part. 


2.1. Notations 


The following notations are used in this document to describe the 
algorithm. 


bitwise XOR operation 

<<< left circular rotation 

>>> right circular rotation 

|| concatenation of bit strings 
Ox hexadecimal representation 


2.2. Key Scheduling Part 


Let K denote a master key of 128, 192, or 256 bits. Given the master 
key K, we first define 128-bit values KL and KR as follows. 


KL || KR=k || 0... 0, 


where the number of zeros is 128, 64, or 0, depending on the size of 
K. That is, KL is set to the leftmost 128 bits of K and KR is set to 
the remaining bits of K (if any), right-padded with zeros to a 
128-bit value. Then, we define four 128-bit values (W0, W1, W2, and 
W3) as the intermediate round values appearing in the encryption of 


KL || KR by a 3-round, 256-bit Feistel cipher. 
wo = KL, 

Wl = FO(WO, CK1) ^ KR, 

W2 = FE(W1, CK2) ^ WO, 

W3 = FO(W2, CK3) ^ W1. 
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Here, FO and FE, respectively called odd and even round functions, 
are defined in Section 2.4.1.  CK1, CK2, and CK3 are 128-bit 
constants, taking one of the following values. 


C1 = 0x517ccl1b727220a94fel3abe8fa%abeeD 
C2 0x6db14acc9e21c820ff28bld5ef5de2b0 
C3 0xdb92371d2126e9700324977504e8c90e 


These values are obtained from the first 128*3 bits of the fractional 
part of 1/PI, where PI is the circle ratio. Now the constants CK1, 
CK2, and CK3 are defined by the following table. 


Key size CKl CK2 = CK3 


128 Cl C2 C3 
192 C2 €3 Cl 
256 C3 Cl C2 


For example, if the key size is 192 bits, CK1 = C2, CK2 = C3, and 
CK3 = Cl. 


Once WO, W1, W2, and W3 are determined, we compute encryption round 


keys ekl, ..., ek17 as follows. 
ekl = WO *(W1 >>> 19), 

ek2 = W1 *(W2 >>> 19), 

ek3 = W2 *(W3 >>> 19), 

ek4 = (WO >>> 19) ^ W3, 

ek5 = WO ^ (W1 >>> 31), 

ek6 = W1 ^ (W2 >>> 31), 

ek7 = W2 ^ (W3 >>> 31), 

ek8 = (WO >>> 31) ^ W3, 

ek9 = WO ^ (W1 <<< 61), 


ek10 = W1 ^ (W2 <<< 61), 
ek11 = W2 ^ (W3 <<< 61), 
ek12 = (W0 <<< 61) ^ W3, 
ek13 = W0 ^ (W1 <<< 31), 
ek14 = W1 ^ (W2 <<< 31), 
ek15 = W2 ^ (W3 <<< 31), 
ek16 = (WO <<< 31) ^ W3, 
ek17 = W0 ^ (W1 <<< 19). 


The number of rounds depends on the size of the master key as 


follows. 
Key size Number of Rounds 
128 12 
192 14 
256 16 
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Due to an extra key addition layer in the last round, 12-, 14-, and 
16-round algorithms require 13, 15, and 17 round keys, respectively. 


Decryption round keys are derived from the encryption round keys. 
dk1 ek{n+1}, 


dk2 A(ek{n}), 
dk3 = A(ek{n-1}), 


dk tns A(ek2), 
dk{n+1}= ekl. 


Here, A and n denote the diffusion layer of ARIA and the number of 
rounds, respectively. The diffusion layer A is defined in Section 
224.3% 


2.3. Data Randomizing Part 
The data randomizing part of the ARIA algorithm consists of the 
encryption and decryption processes. The encryption and decryption 
processes use functions FO, FE, A, SL1, and SL2. These functions are 


defined in Section 2.4. 


2.3.1. Encryption Process 


2.3.1.1. Encryption for 128-Bit Keys 


Let P be a 128-bit plaintext and K be a 128-bit master key. Let ekl, 
-, ek13 be the encryption round keys defined by K. Then the 
ciphertext C is computed by the following algorithm. 


Pl = FO(P , ekl ); // Round 1 
P2 = FE(P1 , ek2 ); // Round 2 
P3 = FO(P2 , ek3 ); // Round 3 
P4 = FE(P3 , ek4 ); // Round 4 
P5 = FO(P4 , ek5 ); // Round 5 
P6 = FE(P5 , ek6 ); // Round 6 
P7 = FO(P6 , ek7 ); // Round 7 
P8 = FE(P7 , ek8 ); // Round 8 
P9 = FO(P8 , ek9 ); // Round 9 
P10 = FE(P9 , ek10); // Round 10 
P11 = FO(P10, ek11); // Round 11 
C = SL2 (P11 ^ ek12) ^ ek13; // Round 12 
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2.3.1.2. Encryption for 192-Bit Keys 


Let P be a 128-bit plaintext and K be a 192-bit master key. Let ekl, 
-, ek15 be the encryption round keys defined by K. Then the 
ciphertext C is computed by the following algorithm. 


Pl = FO(P , ekl ); // Round 1 
P2 = FE(P1 , ek2 ); // Round 2 
P3 = FO(P2 , ek3 ); // Round 3 
P4 = FE(P3 , ek4 ); // Round 4 
P5 = FO(P4 , ek5 ); // Round 5 
P6 = FE(P5 , ek6 ); // Round 6 
P7 = FO(P6 , ek7 ); // Round 7 
P8 = FE(P7 , ek8 ); // Round 8 
P9 = FO(P8 , ek9 ); // Round 9 
P10 = FE(P9 , ek10); // Round 10 
P11 = FO(P10, ek11); // Round 11 
P12 = FE(P11, ek12); // Round 12 
P13 = FO(P12, ek13); // Round 13 
G = SL2 (P13 ^ ek14) ^ ek15; // Round 14 


2.3.1.3. Encryption for 256-Bit Keys 


Let P be a 128-bit plaintext and K be a 256-bit master key. Let ekl, 
-, ek17 be the encryption round keys defined by K. Then the 
ciphertext C is computed by the following algorithm. 


Pl = FO(P , ekl ); // Round 1 
P2 = FE(P1 , ek2 ); // Round 2 
P3 = FO(P2 , ek3 ); // Round 3 
P4 = FE(P3 , ek4 ); // Round 4 
P5 = FO(P4 , ek5 ); // Round 5 
P6 = FE(P5 , ek6 ); // Round 6 
P7 = FO(P6 , ek7 ); // Round 7 
P8 = FE(P7 , ek8 ); // Round 8 
P9 = FO(P8 , ek9 ); // Round 9 
P10= FE(P9 , ek10); // Round 10 
P11= FO(P10, ek11); // Round 11 
P12= FE(P11, ek12); // Round 12 
P13= FO(P12, ek13); // Round 13 
P14= FE(P13, ek14); // Round 14 
P15= FO(P14, ek15); // Round 15 
C = SL2(P15 ^ ek16) ^ ek17; // Round 16 
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2.3.2. Decryption Process 
The decryption process of ARIA is the same as the encryption process 
except that encryption round keys are replaced by decryption round 
keys. For example, encryption round keys ekl, ..., ek13 of the 
12-round ARIA algorithm are replaced by decryption round keys dkl, 

-, qdk13, respectively. 

2.4. Components of ARIA 

2.4.1. Round Functions 
There are two types of round functions for ARIA. One is called an 
odd round function and is denoted by FO. It takes as input a pair 
(D,RK) of two 128-bit strings and outputs 
FO(D,RK) = A(SL1(D ^ RK)). 


The other is called an even round function and is denoted by FE. It 
takes as input a pair (D,RK) of two 128-bit strings and outputs 


FE(D,RK) = A(SL2(D ^ RK)). 
Functions SL1 and SL2, called substitution layers, are described in 
Section 2.4.2. Function A, called a diffusion layer, is described in 
Section 2.4.3. 

2.4.2. Substitution Layers 
ARIA has two types of substitution layers that alternate between 
rounds. Type 1 is used in the odd rounds, and type 2 is used in the 


even rounds. 


Type 1 substitution layer SL1 is an algorithm that takes a 16-byte 


string x0 || x1 ||...|] x15 as input and outputs a 16-byte string 
yo || yl ||...]] y15 as follows. 

yO = SB1(x0), yl SB2 (x1), y2 SB3 (x2), y3 = SB4(x3), 

y4 = SB1(x4), y5 = SB2(x5), y6 = SB3(x6), y7 = SB4(x7), 

y8 = SB1(x8), y9 = SB2(x9), yl0= SB3(x10), yll= SB4 (x11), 

y12= SB1(x12), y1l3= SB2(x13), yl4= SB3(x14), y15= SB4 (x15) 

Type 2 substitution layer SL2 is an algorithm that takes a 16-byte 
string x0 || x1 ||...|| x15 as input and outputs a 16-byte string 
yo || yl ||...]] y15 as follows. 
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yo SB3 (x 
y4 = SB3(x 
y8 = SB3(x 
y12= SB3 (x 
Here, SBI, 


SB1: 


00 63 
10 ca 
20 b7 
30 04 
40 09 
50 53 
60 do 
70 51 
80 cd 
90 60 
a0 e0 
b0 e7 
c0 ba 
d0 70 
e0 el 
£0 8c 


SB2: 


00 e2 
10 5e 
20 ld 
30 00 
40 2d 
50 08 
60 ff 
70 b7 
80 ec 
90 d8 
a0 15 
b0 a7 
c0 30 
dd e6 
e0 90 
£0 ed 
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y1 S 
y5 = S 
y9 =S 
y13= S 
SB3, 


3 


4 


y2 SB1 (x 
y6 = SB1(x 
y10= SB1 (x 
y14= SB1 (x 


y3 SB2 (x 
y7 = SB2(x 
y11= SB2 (x 
y15= SB2(x 
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These S-boxes are defined by the 


5 


6 


7 


8 


9 


a 


Informational 


b 


Cc 


d 


e 


f 


[Page 7] 


RFC 5 


794 


SB3: 


00 
10 
20 
30 
40 
50 
60 
70 
80 
90 
ad 
bo 
co 
do 
e0 
£0 


SB4: 


00 
10 
20 
30 
40 
50 
60 
70 
80 
90 
ad 
bo 
co 
do 
e0 
£0 


30 
3e 
81 
cO 
WE 
8c 
7a 
b8 
da 
e0 
84 
eb 
91 
b2 
f2 
25 


1 


68 
7e 
65 
63 
22 
c2 
e8 
fa 
FE 
47 
e9 
6f 
1f 
Of 
b1 
8a 


For example, 
and SB4 are the inverse functions 
accordingly SL2 is the inverse of 


2.4.3. 


2 


99 
5e 
£5 
6c 
76 
e6 
08 
dc 
cd 
9e 
d2 
d5 
05 
c9 
00 
b5 


SB1 (0x23) 


1b 
8e 
89 
e3 
af 
5f 
2c 
31 
55 
5c 
ba 
f6 
95 
le 
94 
e7 
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4 


87 
Fl 
cb 
b7 
dd 
02 
12 
6b 
86 
04 
5d 
14 
74 
a6 
37 
42 


Diffusion Layer 


5 


6 


21 
cc 
77 
64 
Ob 
75 
32 
ad 
be 
34 
ċ5 
Te 
one 
ec 
do 
EI 


Encryption Algorithm 


7 


8 


50 
2a 
57 
53 
67 
66 
b4 
49 
52 
79 
bf 
5a 
4a 
90 
9c 
£7 


0x26 and 


9 


39 
1d 
43 
aa 
88 
le 
27 
bd 
f8 
26 
a4 
Td 
85 
7b 
6e 
4c 


SB4 (Oxef) 
of SB1 and SB2, 


a 


db 
fb 
56 
38 
06 
e5 
Oa 
51 
bb 
a7 
3b 
fd 
6d 
cf 
28 
11 


SL1. 


b 


el 
b6 
17 
98 
c3 
e2 
23 
96 
0e 
de 
71 
2f 
13 
59 
3£ 
33 


Cc 


d e 


9 62 
20 c4 
40 la 
f4 9b 
Od 01 
d8 10 
ef ca 
e4 a8 
48 69 
ae 92 
46 2b 
83 16 
4f 4e 
al f9 
£0 3d 
a2 ac 


Oxd3. 


3c 
8d 
4d 
ed 
8b 
ce 
d9 
41 
9a 
d7 
fc 
a5 
45 
2d 
d3 
60 
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respectively, and 


Diffusion layer A is an algorithm that takes a 16-byte string x0 | | 
x15 as input and outputs a 16-byte string 
|| y15 by the following equations. 


x1 
yO 
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yO = x3 * x4 * x6 * x8 * x9 F x13 * x14, 
yl = x2 * x5 * x7 * x8 * x9 * x12 * x15, 
y2 = xl * x4 * x6 * x10 * x11 *% x12 %* x15, 
yo = KU ATRI © x7 © XLO A XIL * x13. % x14, 
y4 = x0 * x2 * x5 * x8 A x11 A x14 * x15, 
Vo. Sxl e* x30 (Xa OKO OO L0 LA LS; 
yo rS ROEA SRT ARKI Oe eo kT? SS x13, 
Vi SOx DL Osx SO ORO A KB) AXLI S I2 Ax, 
y8 = x0 * x1 * x4 * x7 * x10 * x13 * x15, 
y9 = x0 ^ x1 ^ x5 ^ x6 ^ x11 ^ x12 ^ x14, 


yl0O = x2 * x3 * x5 * x6 * x8 %* x13 * x15, 
yll = x2 * x3 * x4 * x7 *% x9 *% x12 * x14, 
yl2 = x1 * x2 * x6 * x7 *% x9 *® x11 * x12, 
yl3 = x0 * x3 * x6 * x7 * x8 “* x10 * x13, 
yl4 = x0 ^ x3 ^ x4 ^ x5 ^ x9 ^ x11 ^ x14, 
yl5 = xl * x2 * x4 * x5 *% x8 %* x10 * x15. 


Note that A is an involution. That is, for any 16-byte input string 
x, X = A(A(x)) holds. 


3. Security Considerations 


ARIA is designed to be resistant to all known attacks on block 
ciphers [ARIA03]. Its security was analyzed by the COSIC group of 
K.U.Leuven in Belgium [ARIAEVAL] and no security flaw has been found. 
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Appendix A. 
Here are test data for ARIA in hexadecimal form. 


A.1. 


128-Bit Key 


Key 
Plaintext 
Ciphertext: 


The ARIA Encryption Algorithm 


Example Data of ARIA 


000102030405060708090a0b0c0d0e0f 
00112233445566778899aabbccddeeff 
d718fbd6ab644c739da95f3be6451778 


Round key generators 


wo: 
W1: 
W2: 
W3: 


000102030405060708090a0b0c0d0e0F 


2Zafbea741e1746dd55c63balafcea0a5d 


708578018bb127e02dfe4e78c288e33c 
6785b52b74da4 6bf181054082763ff6d 


Encryption round keys 


el: 
e2: 
e3: 
e4: 
e5: 
e6: 
e7: 
e8: 
e9: 
e10: 
ell: 
e12: 
e13: 


d415a75c794b85c5e0d2a0b3cb793bf6 
369c65e4b11777ab713a3ele6601b8f4 
0368d4f13d14497b6529ad7ac809e7d0 
©644552b549a263fb8d0b50906229eec 
5£9c434951f2d2ef342787b1a781794c 
afea2c0Oce71db6de42a47461£4323c54 
32428 6db44ba4dbb6c44ac306f2a84b2c 
7£9£a93574d842b9101a58063771leb7b 
aab9c57731fcd213ad5677458fcfeb6d4 
2£4423bb06465abada5694al19eb88459 
9£8772808f5d580d810ef 8ddacl3abeb 
8684946a155be77ef810744847e35fad 
Of0aal6daee6lbd7dfee5a599970£b35 


— Intermediate round values 


Lee, 


Pl: 7fc7f12befd0a0791de87fa96b469f52 
P2: ac8del7e49f7c5117618993162b189e9 
P3: c3e8d59ec2e62d5249ca2741653cb7dd 
P4: 5d4aebb165e141f£759£669ele85cc45 
P5: 7806e469f68874c5004b5f4a046bbcfa 
P6: 110£93c9a630cdd51£97d2202413345a 
P7: e054428ef088fef9T79I2Z8241cd3be499e 
P8: 5734f38ealca3ddd102e71£95e1d5£97 
P9: 4903325be3e500cccd52fba4354a39ae 
P10: ch8c508e2c4f£87880639dc89b6d25ec9d 
P11: e7e0d2457ed73d23d481424095afdcal 
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A.2. 192-Bit Key 


Key : 000102030405060708090a0b0c0d0e0fF 
1011121314151617 

Plaintext : 00112233445566778899aabbccddeeff 

Ciphertext: 26449c1805dbe7aa25a468ce263a9e79 


A.3. 256-Bit Key 
Key : 000102030405060708090a0b0c0d0e0fF 
10111213141516171819lalblcidlelf 
Plaintext : 00112233445566778899aabbccddeeff 
Ciphertext: f92bd7c79fb72e2f2b8f80c1972d24fc 
Appendix B. OIDs 


Here is an ASN.1 module conforming to the 2002 version of ASN.1 
[X.680] [X.681] [X.682] [X.683]. 


AriaModesOfOperation { 
iso(1) member-body(2) korea(400) nsri(200046) algorithm (1) 


symmetric-—encryption-algorithm(1) asnl-module(0) alg-oids(0) } 


DEFINITIONS IMPLICIT TAGS ::= 


BEGIN 

OID ::= OBJECT IDENTIFIER 

—-- Synonyms -- 

id-algorithm OID ::= { iso(1) member-body(2) korea(410) nsri(200046) 


algorithm(1) } 


id-sea OID 


{ id-algorithm symmetric-—encryption-algorithm(1) } 


id-pad OID = { id-algorithm pad(2) } 
id-pad-null RELATIVE-OID ::= {0} -- no padding algorithms identified 
id-pad-1 RELATIVE-OID ::= {1} 


-- padding method 2 of ISO/IEC 9797-1:1999 


-—- confidentiality modes: 
-- ECB, CBC, CFB, OFB, CTR 


id-arial28-ecb OID ::= 
id-arial28-cbe OID ::= 
id-arial28-cfb OID :: 

id-arial28-ofb OID : 
id-arial28-ctr OID ::= 


id-sea arial28-ecb (1) } 
id-sea arial28-cbc (2) } 
id-sea arial28-cfb (3) } 
(4) } 
(5) } 


ll 
AAA A 


id-sea arial28-ofb 
id-sea arial28-ctr 
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id-arial92-ecb OID ::= 
id-arial92-cbe OID ::= 
id-arial92-cfb OID ::= 
id-arial92-ofb OID ::= 
id-arial92-ctr OID ::= 


id-sea arial92-ecb (6 
id-sea arial92-cbc (7 
id-sea arial92-cfb (8 
id-sea arial92-ofb(9 
id-sea arial92-ctr (1 


n n a n an 


id-aria256-ecb OID ::= 
id-aria256-cbc OID ::= 
id-aria256-cfb OID :: 

id-aria256-ofb OID : 
id-aria256-ctr OID ::= 


id-sea aria256-ecb (11) } 
id-sea aria256-cbc (12) } 
id-sea aria256-cfb(13) } 
(14) } 
(15) } 


ll 
SANA A 


id-sea aria256-ofb 
id-sea aria256-ctr 


-—- authentication modes: CMAC 


id-arial28-cmac OID ::= { id-sea arial28-cmac (21) } 
id-arial92-cmac OID = { id-sea arial92-cmac (22) } 
id-aria256-cmac OID ::= { id-sea aria256-cmac (23) } 


-- modes for both confidentiality and authentication 
-- OCB 2.0, GCM, CCM, Key Wrap 


id-arial28-ocb2 OID { id-sea arial28-ocb2 (31) } 
id-arial92-ocb2 OID ::= { id-sea arial92-ocb2 (32) } 
id-aria256-ocb2 OID { id-sea aria256-ocb2 (33) } 


id-arial28-gcm OID ::= { id-sea arial28-gcm(34) } 
id-arial92-gcm OID ::= { id-sea arial92-gcm(35) } 
id-aria256-gcem OID ::= { id-sea aria256-gcm(36) } 
id-arial28-ccm OID ::= { id-sea arial28-ccm (37) } 
id-arial92-ccm OID = { id-sea arial92-ccm(38) } 
id-aria256-ccm OID ::= { id-sea aria256-ccm(39) } 


id-arial28-kw OID 
id-arial92-kw OID 
id-aria256-kw OID 


{ id-sea arial28-kw (40) } 
{ id-sea arial92-kw (41) } 
{ id-sea aria256-kw (42) } 


-- ARIA Key-Wrap with Padding Algorithm (AES version: RFC 5649) 


id-arial28-kwp OID ::= { id-sea arial28-kwp (43) } 
id-arial92-kwp OID ::= { id-sea arial92-kwp (44) } 
id-aria256-kwp OID ::= { id-sea aria256-kwp (45) } 
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Lee, 


AriaModeOfOperation ::= 


The ARIA Encryption Algorithm 


AlgorithmIdentifier 


{ {AriaModeOfOperationAlgorithms} } 


AriaModeOfOperationAlgorithms ALGORITHM ::= { 

arial28ecb |arial28cbc |arial28cfb |arial280fb 

arial92ecb |arial92cbc |arial92cfb |arial92ofb 

aria256ecb |aria256cbc |aria256cfb |aria256ofb 

arial28cmac |arial92cmac |aria256cmac | 

arial28o0cb2 |arial92ocb2 |aria256o0cb2 

arial28gcm arial92gcm aria256gcm 

arial28ccm |arial92ccm |aria256ccm | 

arial28kw |arial92kw |aria256kw | 

arial28kwp |arial92kwp |aria256kwp i 
--Extensible 


} 
arial28ecb ALGORITHM 
{ OID id-arial28-ecb 
arial28cbc ALGORITHM 
{ OID id-arial28-cbc 
arial28cfb ALGORITHM 
{ OID id-arial28-cfb 
arial280fb ALGORITHM 
{ OID id-arial28-ofb 
arial28ctr ALGORITHM 
{ OID id-arial28-ctr 


arial92ecb ALGORITHM 
{ OID id-arial92-ecb 
arial92cbc ALGORITHM 
{ OID id-arial92-cbc 
arial92cfb ALGORITHM 
{ OID id-arial92-cfb 


arial92o0fb ALGORITHM 
{ OID id-arial92-ofb 
arial92ctr 


ALGORITHM : 


{ OID id-arial92-ctr PARAMS 


et al. 


PARAMS 


AriaEcbParameters } 
AriaCbcParameters } 
AriaCfbParameters } 
AriaOfbParameters } 


AriaCtrParameters } 


AriaEcbParameters } 
AriaCbcParameters } 


AriaCfbParameters } 


AriaOfbParameters } 


AriaCtrParameters } 
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|arial28ctr 
|arial92ctr 
|aria256ctr 


RFC 5794 The ARIA Encryption Algorithm March 2010 


aria256ecb ALGORITHM ::= 
{ OID id-aria256-ecb PARAMS AriaEcbParameters } 
aria256cbc ALGORITHM ::= 
{ OID id-aria256-cbc PARAMS AriaCbcParameters } 
aria256cfb ALGORITHM ::= 
{ OID id-aria256-cfb PARAMS AriaCfbParameters } 
aria256o0fb ALGORITHM ::= 
{ OID id-aria256-ofb PARAMS AriaOfbParameters } 
aria256ctr ALGORITHM ::= 
{ OID id-aria256-ctr PARAMS AriaCtrParameters } 


arial28cmac ALGORITHM ::= 
{ OID id-arial28-cmac PARAMS AriaCmacParameters } 
arial92cmac ALGORITHM ::= 

{ OID id-arial92-cmac PARAMS AriaCmacParameters } 
aria256cmac ALGORITHM : 

{ OID id-aria256-cmac 


PARAMS AriaCmacParameters } 


arial28o0cb2 ALGORITHM ::= 
{ OID id-arial28-ocb2 PARAMS AriaOcb2Parameters } 
arial92o0cb2 ALGORITHM ::= 
{ OID id-arial92-ocb2 PARAMS AriaOcb2Parameters } 
aria256o0cb2 ALGORITHM ::= 
{ OID id-aria256-ocb2 


PARAMS AriaOcb2Parameters } 


arial28gcm ALGORITHM ::= 
{ OID id-arial28-gcm PARAMS AriaGcmParameters } 
arial92gcm ALGORITHM ::= 
{ OID id-arial92-gcm PARAMS AriaGcmParameters } 
aria256gcm ALGORITHM ::= 
{ OID id-aria256-gcom PARAMS AriaGcmParameters } 


E9 
| 


arial28ccm ALGORITHM ::= 
{ OID id-arial28-ccm PARAMS AriaCcmParameters } 
arial92ccm ALGORITHM ::= 
{ OID id-arial92-ccm PARAMS AriaCcmParameters } 
aria256ccm ALGORITHM ::= 
{ OID id-aria256-ccm PARAMS AriaCcmParameters } 


arial28kw ALGORITHM : { OID id-arial28-kw } 
arial92kw ALGORITHM ::= { OID id-arial92-kw } 
aria256kw ALGORITHM : { OID id-aria256-kw } 


arial28kwp ALGORITHM ::= { OID id-arial28-kwp } 
arial92kwp ALGORITHM : { OID id-arial92-kwp } 
aria256kwp ALGORITHM { OID id-aria256-kwp } 
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AriaPadAlgo = CHOICE { 
specifiedPadAlgo RELATIVE-OID, 
generalPadAlgo OID 
} 
AriaEcbParameters = SEQUENCE { 
padAlgo AriaPadAlgo DEFAULT specifiedPadAlgo:id-pad-null 
} 
AriaCbcParameters = SEQUENCE { 
m INTEGER DEFAULT 1, 
-—- number of stored ciphertext blocks 
padAlgo AriaPadAlgo DEFAULT specifiedPadAlgo:id-pad-1 
} 
AriaCfbParameters = SEQUENCE { 
ia INTEGER, 
—- bit-length of feedback buffer, 128<=r<=128*1024 
k INTEGER, 
-- bit-length of feedback variable, 1<=k<=128 
j INTEGER, 
-- bit-length of plaintext/ciphertext block, 1<=j<=k 
padAlgo AriaPadAlgo DEFAULT specifiedPadAlgo:id-pad-null 
} 
AriaOfbParameters = SEQUENCE { 
j INTEGER, 
-- bit-length of plaintext/ciphertext block, 1<=j<=128 
padAlgo AriaPadAlgo DEFAULT specifiedPadAlgo:id-pad-null 
} 
AriaCtrParameters = SEQUENCE { 
j INTEGER, 
-- bit-length of plaintext/ciphertext block, 1<=j<=128 
padAlgo AriaPadAlgo DEFAULT specifiedPadAlgo:id-pad-null 
} 
AriaCmacParameters = INTEGER -- bit-length of authentication tag 
AriaOcb2Parameters = INTEGER -- bit-length of authentication tag 
AriaGcmParameters = SEQUENCE { 


INTEGER, 
INTEGER 


S 
t 


Lee, et al. 


-- bit-length of starting variable 
-- bit-length of authentication tag 
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AriaCcmParameters ::= SEQUENCE { 
w INTEGER (2|3]4|5|6|7|8), 
-- length of message length field in octets 
t INTEGER (32|48|64|80|96|112|128) 


—- bit-length of authentication tag 
J 


ALGORITHM ::= CLASS { 
&id OBJECT IDENTIFIER UNIQUE, 
&Type OPTIONAL 


} 
WITH SYNTAX { OID &id [PARAMS &Type] } 


AlgorithmIdentifier { ALGORITHM:AlgoSet } ::= SEQUENCE { 
algorithm ALGORITHM.&id( {AlgoSet} ), 
parameters ALGORITHM.&Type( {AlgoSet}{@algorithm} ) OPTIONAL 


END 
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